Two CVEs have been raised by the OpenSSL project:
NVD - CVE-2022-3602 (nist.gov)
NVD - CVE-2022-3786 (nist.gov)
The vulnerability can be triggered where the server requests a client certificate from the browser for mutual authentication.
Effect on Mosaic
This should not affect Mosaic customers as they do not use client certificates in the browser when connecting to Mosaic. There are several caveats described which would further reduce the risk.
Mosaic is tested on Windows with the version of Apache with OpenSSL 1.1.1. Customers that are running Apache and WebLogic on Windows would only have the vulnerability if they have opted for a version of Apache which includes OpenSSL 3.x.x.
These customers should upgrade to the version of Apache with OpenSSL 3.0.7 that is now available from Apache Haus.
It is possible to check the version by running:
PS C:\Apache24\bin> openssl.exe version
OpenSSL 3.0.4 21 Jun 2022 (Library: OpenSSL 3.0.4 21 Jun 2022)
3.0.4 would be a vulnerable version and should be upgrade to 3.0.7 or greater.
This issue does not affect RedHat 8 RHSB-2022-004 X.509 Email Address Buffer Overflow - OpenSSL - (CVE-2022-3602 and CVE-2022-3786) - Red Hat Customer Portal.
Solaris customers should check the installed version of OpenSSL.